运行PowerShellPlus,出现
如果输错序列号会显示error messagebox
加断点 bp MessageBoxW
输入序列号,OK 断点起作用,
执行kb, 看到堆栈中显示
0012e458 7b7bf97b 00000000 00000000 00000000 System_Windows_Forms_ni+0x7efcf8
说明这是一个.NET程序.尝试用.NET Relector打开.看到错误
Invalid number of data directories in NT header.
执行 !dumpdomain,显示已加载的.NET dll, 从结果中知道,PowerShellPlus调用了
Microsoft.PowerShell.Commands.Management.dll|
Microsoft.PowerShell.Security.dll
Microsoft.PowerShell.Commands.Utility.dll
Microsoft.PowerShell.ConsoleHost.dll
有关License的Assembly为 C:\Program Files\Idera\PowerShellPlus\License4Net.dll
执行 !clrstack,显示
0:000> !clrstack
OS Thread Id: 0x280c (0)
ESP EIP
0012e368 7e466534 [NDirectMethodFrameStandalone: 0012e368] System.Windows.Forms.SafeNativeMethods.MessageBox(System.Runtime.InteropServices.HandleRef, System.String, System.String, Int32)
0012e384 7b7bfcf8 System.Windows.Forms.MessageBox.ShowCore(System.Windows.Forms.IWin32Window, System.String, System.String, System.Windows.Forms.MessageBoxButtons, System.Windows.Forms.MessageBoxIcon, System.Windows.Forms.MessageBoxDefaultButton, System.Windows.Forms.MessageBoxOptions, Boolean)
0012e388 7b7bf97b [InlinedCallFrame: 0012e388]
0012e460 7b194190 System.Windows.Forms.Control.OnClick(System.EventArgs)
…
0012e944 7b7227c3 System.Windows.Forms.Form.ShowDialog()
0012e948 048e7c61Idera.Tools.Core.Form_Welcome.linkNewLicenseKey_LinkClicked(System.Object, System.Windows.Forms.LinkLabelLinkClickedEventArgs)
0012e95c 7b87a5b1 System.Windows.Forms.LinkLabel.OnLinkClicked(System.Windows.Forms.LinkLabelLinkClickedEventArgs)
…
0012ee34 7b7227c3 System.Windows.Forms.Form.ShowDialog()
0012ee38 018cd49e Idera.Tools.Core.LicenseUI.StartupLicenseCheck()
0012ee58 018cd1fe PSP.PSPlusApp.eCWYV2J36e(Boolean)
0012ee88 018ccb1f PSP.PSPlusApp..ctor() |
Idera.Tools.Core.Form_Welcome.linkNewLicenseKey_LinkClicked对应了Welcome form中的链接”Register New License Key”
执行!ip2md 048e7c61,显示linkNewLicenseKey_LinkClicked的Method Desc
0:000> !ip2md 048e7c61
MethodDesc: 01d10514
Method Name: Idera.Tools.Core.Form_Welcome.linkNewLicenseKey_LinkClicked(System.Object, System.Windows.Forms.LinkLabelLinkClickedEventArgs)
Class: 01c06ff0
MethodTable: 01d10568
mdToken: 0600001b
Module: 0193c78c
IsJitted: yes
CodeAddr: 048e7c40 |
执行!u 01d10514,反汇编linkNewLicenseKey_LinkClicked
0:000> !u 01d10514
Normal JIT generated code
Idera.Tools.Core.Form_Welcome.linkNewLicenseKey_LinkClicked(System.Object, System.Windows.Forms.LinkLabelLinkClickedEventArgs)
Begin 048e7c40, size 4a
048e7c40 55 push ebp
048e7c41 8bec mov ebp,esp
048e7c43 57 push edi
048e7c44 56 push esi
048e7c45 8bf9 mov edi,ecx
048e7c47 b924028d04 mov ecx,offset +0x48d0223 (048d0224) (MT: Idera.Tools.Core.Form_AddLicense)
048e7c4c e866095a75 call mscorwks!JIT_NewCrossContext (79e885b7)
048e7c51 8bf0 mov esi,eax
048e7c53 8bce mov ecx,esi
048e7c55 e82eccfbff call +0x48a4887 (048a4888) (Idera.Tools.Core.Form_AddLicense..ctor(), mdToken: 06000007)
048e7c5a 8bce mov ecx,esi
048e7c5c e807008776 call System_Windows_Forms_ni+0x187c68 (7b157c68) (System.Windows.Forms.Form.ShowDialog(), mdToken:
… |
输入序列号的对话框为Idera.Tools.Core.Form_AddLicense
执行!dumpheap -type Idera.Tools.Core.Form_AddLicense, 得到其Address
0:000> !dumpheap -type Idera.Tools.Core.Form_AddLicense
Address MT Size
01f181c8 048d0224 344
total 1 objects
Statistics:
MT Count TotalSize Class Name
048d0224 1 344 Idera.Tools.Core.Form_AddLicense
Total 1 objects |
执行!do 01f181c8,得到Idera.Tools.Core.Form_AddLicense的字段值
0:000> !do 01f181c8
Name: Idera.Tools.Core.Form_AddLicense
MethodTable: 048d0224
EEClass: 0489bc9c
Size: 344(0×158) bytes
(ToolsCore, Version=1.2.0.62, Culture=neutral, PublicKeyToken=null)
Fields:
MT Field Offset Type VT Attr Value Nam
…
79330a00 4000003 13c System.String 0 instance 01e61198 licenseKey
7b21e9d0 4000006 148 …ows.Forms.TextBox 0 instance 01f18874textBox_NewKey |
先看看licenseKey的值. 执行!do 01e61198
0:000> !do 01e61198
Name: System.String
MethodTable: 79330a00
EEClass: 790ed64c
Size: 18(0×12) bytes
(C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)
String:
Fields:
MT Field Offset Type VT Attr Value Name
79332c4c 4000096 4 System.Int32 1 instance 1 m_arrayLength
79332c4c 4000097 8 System.Int32 1 instance 0 m_stringLength
793316e0 4000098 c System.Char 1 instance 0 m_firstChar
79330a00 4000099 10 System.String 0 shared static Empty
>> Domain:Value 0014c300:01e61198 <<
79331630 400009a 14 System.Char[] 0 shared static WhitespaceChars
>> Domain:Value 0014c300:01e61740 << |
其值为空,不知这个licenseKey的用意何在.
再看textBox_NewKey中的值是不是qqq. 执行!do 01f18874,显示
0:000> !do 01f18874
Name: System.Windows.Forms.TextBox
MethodTable: 7b21e9d0
EEClass: 7afdccc0
Size: 168(0xa8) bytes (C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll)
Fields:
MT Field Offset Type VT Attr Value Name
…
79330a00 4001130 20 System.String 0 instance 00000000 text |
其Text值到底放在哪?
查看Idera.Tools.Core.Form_AddLicense上定义的方法
执行!dumpmt -md 048d0224 ,显示
:000> !dumpmt -md 048d0224
EEClass: 0489bc9c
Module: 0193c78c
Name: Idera.Tools.Core.Form_AddLicense
mdToken: 02000003 (ToolsCore, Version=1.2.0.62, Culture=neutral, PublicKeyToken=null)
BaseSize: 0×158
ComponentSize: 0×0
Number of IFaces in IFaceMap: 15
Slots in VTable: 378
————————————–
MethodDesc Table
Entry MethodDesc JIT Name
048a48b8 048d01b0 JIT Idera.Tools.Core.Form_AddLicense.button_OK_Click(System.Object, System.EventArgs) |
执行 !u 048d01b0 , 反汇编 Idera.Tools.Core.Form_AddLicense.button_OK_Click
0:000> !u 048d01b0
Normal JIT generated code
Idera.Tools.Core.Form_AddLicense.button_OK_Click(System.Object, System.EventArgs)
Begin 04948100, size f5
04948100 55 push ebp
04948101 8bec mov ebp,esp
04948103 57 push edi
04948104 56 push esi
04948105 53 push ebx
04948106 8bf9 mov edi,ecx
04948108 8bb748010000 mov esi,dword ptr +0×147 (00000148)[edi]
0494810e 8b8f48010000 mov ecx,dword ptr +0×147 (00000148)[edi]
04948114 8b01 mov eax,dword ptr [ecx]
04948116 ff9064010000 call dword ptr +0×163 (00000164)[eax]
0494811c 3900 cmp dword ptr [eax],eax
0494811e 6a02 push 2
04948120 8b153010e802 mov edx,dword ptr [+0x2e8102f (02e81030)] (Object: System.Char[])
04948126 8bc8 mov ecx,eax
04948128 e813ad9974 call mscorlib_ni+0x222e40 (792e2e40) (System.String.TrimHelper(Char[], Int32), mdToken: 060001b7)
0494812d 8bd0 mov edx,eax
0494812f 8bce mov ecx,esi
04948131 8b01 mov eax,dword ptr [ecx]
04948133 ff9068010000 call dword ptr +0×167 (00000168)[eax]
04948139 e8f2f69374 call mscorlib_ni+0x1c7830 (79287830) (System.Reflection.Assembly.GetExecutingAssembly(), mdToken: 06001c31)
0494813e 8bc8 mov ecx,eax
04948140 8b01 mov eax,dword ptr [ecx]
04948142 ff504c call dword ptr [eax+4Ch]
04948145 8bd8 mov ebx,eax
04948147 b9e803df01 mov ecx,offset +0x1df03e7 (01df03e8) (MT: Idera.Tools.Core.BBSProductLicense)
0494814c e8cb9ebefc call +0x153201b (0153201c) (JitHelp: CORINFO_HELP_NEWSFAST)
04948151 8bf0 mov esi,eax
04948153 8b5b18 mov ebx,dword ptr [ebx+18h]
04948156 8b8f48010000 mov ecx,dword ptr +0×147 (00000148)[edi]
0494815c 8b01 mov eax,dword ptr [ecx]
0494815e ff9064010000 call dword ptr +0×163 (00000164)[eax]
04948164 50 push eax
04948165 8bd3 mov edx,ebx
04948167 8bce mov ecx,esi
>>> 04948169 e8d257fdfc call +0x191d93f (0191d940) (Idera.Tools.Core.BBSProductLicense..ctor(System.Version, System.String), mdToken: 0600003b)
0494816e 8d460c lea eax,[esi+0Ch]
04948171 83781400 cmp dword ptr [eax+14h],0
04948175 751e jne +0×4948194 (04948195) //–关键!跳入失败分支 04948195
04948177 8d460c lea eax,[esi+0Ch]
0494817a 80781c00 cmp byte ptr [eax+1Ch],0
0494817e 7449 je +0x49481c8 (049481c9) //–跳入成功分支 049481c9
04948180 8d460c lea eax,[esi+0Ch]
04948183 8b480c mov ecx,dword ptr [eax+0Ch]
04948186 8b154421e802 mov edx,dword ptr [+0x2e82143 (02e82144)] ("None")
0494818c e8df999974 call mscorlib_ni+0x221b70 (792e1b70) (System.String.Equals(System.String, System.String), mdToken: 06000143)
04948191 85c0 test eax,eax
04948193 7434 je +0x49481c8 (049481c9) //–跳入成功分支 049481c9
04948195 8d460c lea eax,[esi+0Ch]
04948198 8b5814 mov ebx,dword ptr [eax+14h]
0494819b 8b8f48010000 mov ecx,dword ptr +0×147 (00000148)[edi]
049481a1 8b01 mov eax,dword ptr [ecx]
049481a3 ff9064010000 call dword ptr +0×163 (00000164)[eax]
049481a9 50 push eax
049481aa 8bd3 mov edx,ebx
049481ac 8bce mov ecx,esi
049481ae ff150801df01 call dword ptr [+0x1df0107 (01df0108)] (Idera.Tools.Core.BBSProductLicense.GetErrorMessage(LicenseState, System.String), mdToken: 0600003d)
049481b4 ff35f821e802 push dword ptr [+0x2e821f7 (02e821f8)] ("Invalid License Key")
049481ba 6a00 push 0
049481bc 6a10 push 10h
049481be 8bd0 mov edx,eax
049481c0 8bcf mov ecx,edi
049481c2 e89d77e776 call System_Windows_Forms_ni+0x7ef964 (7b7bf964) (System.Windows.Forms.MessageBox.Show(System.Windows.Forms.IWin32Window, System.String, System.String, System.Windows.Forms.MessageBoxButtons, System.Windows.Forms.MessageBoxIcon), mdToken: 060048b4)
049481c7 eb25 jmp +0x49481ed (049481ee) //–退出函数
049481c9 8b8f48010000 mov ecx,dword ptr +0×147 (00000148)[edi] //– 成功的分支
049481cf 8b01 mov eax,dword ptr [ecx]
049481d1 ff9064010000 call dword ptr +0×163 (00000164)[eax]
049481d7 8d973c010000 lea edx,+0x13b (0000013c)[edi]
049481dd e8deab5275 call mscorwks!JIT_WriteBarrierEAX (79e72dc0)
049481e2 8bcf mov ecx,edi
049481e4 ba01000000 mov edx,offset (00000001)
049481e9 e8ba1b8076 call System_Windows_Forms_ni+0x179da8 (7b149da8) (System.Windows.Forms.Form.set_DialogResult(System.Windows.Forms.DialogResult), mdToken: 06003cf9)
049481ee 5b pop ebx
049481ef 5e pop esi
049481f0 5f pop edi
049481f1 5d pop ebp
049481f2 c20400 ret 4 |
以上代码首先构造 一个Idera.Tools.Core.BBSProductLicense对象. 其构造器形如
BBSProductLicense(System.Version, “qqq”),根据传入的值设置BBSProductLicense对象的属性
此时esi 是指向BBSProductLicense对象,
0:000> r
eax=01f5a7f0 ebx=01f5a7cc ecx=01f5aae0 edx=00000001 esi=01f5a7e4 edi=01ece89c
eip=04948171 esp=0012e434 ebp=0012e440 iopl=0 nv up ei ng nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000293
0:000> !do 01f5a7e4
Name: Idera.Tools.Core.BBSProductLicense
MethodTable: 01df03e8
EEClass: 01b86990
Size: 48(0×30) bytes
(ToolsCore, Version=1.2.0.62, Culture=neutral, PublicKeyToken=null)
Fields:
MT Field Offset Type VT Attr Value Name
01df0394 4000055 c …cense+LicenseData 1 instance 01f5a7f0 licenseData
79330a00 4000056 4 System.String 0 instance 01f5aac0 m_scopeString
793325a8 4000057 8 System.Version 0 instance 01f5a7cc m_productVersion
esi+0Ch 指向BBSProductLicense对象的属性licenseData,这是一个Vaule Type,
0:000> !dumpvc 01df0394 01f5a7f0
Name: Idera.Tools.Core.BBSProductLicense+LicenseData
MethodTable 01df0394
EEClass: 01b869f4
Size: 40(0×28) bytes
(ToolsCore, Version=1.2.0.62, Culture=neutral, PublicKeyToken=null)
Fields:
MT Field Offset Type VT Attr Value Name
01df0244 4000058 14 System.Int32 1 instance 1 licState
79330a00 4000059 0 System.String 0 instance 01f5a85c key
793044cc 400005a 1c System.Boolean 1 instance 0 isTrial
79330a00 400005b 4 System.String 0 instance 01eb6f80 typeStr
79330a00 400005c 8 System.String 0 instance 01eb6fc4 forStr
79330a00 400005d c System.String 0 instance 01f5ab0c expirationDateStr
79330a00 400005e 10 System.String 0 instance 01f5ab94 daysToExpireStr
79332c4c 400005f 18 System.Int32 1 instance 0 daysToExpire
793044cc 4000060 1d System.Boolean 1 instance 1 isAboutToExpire
esi+0Ch+14h 是licState的属性,如果不为0,显示错误提示
接着,检查isTrial属性
04948177 8d460c lea eax,[esi+0Ch]
0494817a 80781c00 cmp byte ptr [eax+1Ch],0
0494817e 7449 je +0x49481c8 (049481c9)
如果为0,就退出,否则进一步检查 expirationDateStr
04948180 8d460c lea eax,[esi+0Ch]
04948183 8b480c mov ecx,dword ptr [eax+0Ch]
04948186 8b154421e802 mov edx,dword ptr [+0x2e82143 (02e82144)] ("None")
0494818c e8df999974 call mscorlib_ni+0x221b70 (792e1b70) (System.String.Equals(System.String, System.String), mdToken:
给BBSProductLicense的构造器打断点
!bpmd ToolsCore Idera.Tools.Core.BBSProductLicense..ctor
反汇编
0:000> !u 0191d940
Normal JIT generated code
Idera.Tools.Core.BBSProductLicense..ctor(System.Version, System.String)
Begin 0191d940, size 70
>>> 0191d940 55 push ebp
…
0191d9a4 ff15a401df01 call dword ptr [+0x1df01a3 (01df01a4)] (Idera.Tools.Core.BBSProductLicense.FillLicenseData(System.String), mdToken: 0600004a)
0191d9aa 5e pop esi
0191d9ab 5f pop edi
0191d9ac 5d pop ebp
0191d9ad c20400 ret 4
接着反汇编 Idera.Tools.Core.BBSProductLicense.FillLicenseData
0:000> !u 04946578
Normal JIT generated code
Idera.Tools.Core.BBSProductLicense.FillLicenseData(System.String)
Begin 04946578, size 13f
>>> 04946578 55 push ebp
04946579 8bec mov ebp,esp
0494657b 57 push edi
…
049465bd ff15d401df01 call dword ptr [+0x1df01d3 (01df01d4)] (Idera.Tools.Core.BBSProductLicense.LoadAndValidateLicense(System.String,BBS.License.BBSLic ByRef), mdToken: 0600004e)
…
最终找到真正负责License的组件BBS.License.BBSLic
0:000> !dumpmt 01dffebc
EEClass: 048facd4
Module: 01df0f50
Name: BBS.License.BBSLic
mdToken: 02000003 (C:\Program Files\Idera\PowerShellPlus\License4Net.dll)
BaseSize: 0xc
ComponentSize: 0×0
Number of IFaces in IFaceMap: 1
Slots in VTable: 45
最核心的函数为
public unsafe LicErr LoadKeyString(string Key)
{
LicErr oK = LicErr.OK;
sbyte modopt(IsSignUnspecifiedByte)* numPtr = (sbyte modopt(IsSignUnspecifiedByte)*) Marshal.StringToHGlobalAnsi(Key).ToPointer();
switch (CLicense.LoadKeyString(this.pLic, numPtr))
{
case 1:
oK = LicErr.NotBase64;
break;
case 2:
oK = LicErr.UnsupportedKeyVersion;
break;
case 3:
oK = LicErr.InvalidLength;
break;
case 4:
oK = LicErr.ChecksumError;
break;
case 6:
oK = LicErr.FutureKey;
break;
}
Marshal.FreeHGlobal((IntPtr) numPtr);
return oK;
}
而CLicense的代码被加密,里面到处是jump,此路不通.
